Bring Your Own Disaster

Aamir Lakhani

Tue, 23rd October 2012


Speaker Bio 1:
Mobile Device Management is the hottest technology for mobile security and BYOD (Bring your own Device) vendors. The big problem though, from an Information Security position, is that these devices are prone to a multitude of vulnerabilities.

With many competing Mobile Device Manufacturers and corporations trying to establish safe BYOD Policies - this is obviously a massive area of concern that offers endless opportunities. BYOD and security is huge and Aamir is a global expert on the subject. Aamir explores security variables such as examining the differences between MDM vendors and establishing the Fact from Fiction, i.e. what MDM can and cannot do.

Aamir has been with World Wide Technology for the last five years and has a doctorate in advanced modern cryptography. Amazingly Aamir has over 100 IT industry certifications from Cisco, Juniper, F5, VMware, and others HP. With his extensive experience with federal, defense, and large enterprise customers in both a pre and post sales role.

Update! May 18th 2013: Aamir has a new website which is packed full of helpful advice, information and tutorials. The subjects are hacking, mobile security, cloud, government technology and more. Go check it out!

Max, Concise Courses:
Okay. It’s 12 p.m. eastern standard, Tuesday afternoon. I’ve got Aamir Lakhani here. Aamir is in sunny Las Vegas. So before we get into the presentation, Aamir is going to share a little bit, obviously, about himself. The presentation is “Bring Your Own Destruction.” And Aamir is a global senior technical solutions architect at World Wide Technology. So Aamir, please, tell us a little bit about yourself and what your focus is on.

Aamir Lakhani:
My name is Aamir Lakhani and I work for World Wide Technology. World Wide is one of the largest fiscal partners out there in the world. We specialize in, kind of everything with networking, working with the biggest and largest out there, such as Cisco, VMware, EMC and really it’s our job to bring together all these different solutions and making sure that they all fit together in a cohesive way for our customers.

My specialty, I came from a background of specializing in offensive security and cyber security and the counter intelligent space, and my job at World Wide is to work with our global 100 type companies, defense departments, and other type of government entities, to figure out what the best way is to help us secure against cyber threats. And of course mobility is one of the hot topics of discussion these days.


Max, Concise Courses:
Sounds good. And, Aamir, you’re going to Hacker Halted this week. So anyone who’s watching this, who’s going to be in Miami, there will be an opportunity to meet Aamir in person. So the presentation is Bring Your Own Destruction, BYOD. So when you get a chance, you can pull that up and just take it away.

Aamir Lakhani:
Excellent. All right. Hopefully you guys can see my screen. So I just told you a little bit about me, so we’ll just go ahead and skip that part. But, essentially, there’s always a lot of things to cover in BYOD or Bring Your Own Destruction. I’m probably not going to get a chance to cover everything, so we’ll give you some highlights, a little trailer here. But you can always find more information on my blog at cloudcentrics or contact me via Twitter if you wish to do so.

So why are we here? Well, we know why we’re here. It’s basically these devices. And there’s a little bit of animation in the first couple of slides. It’s not probably going to come out well, but we’ll get through it. I mean, these devices are being used everywhere. Apple kind of started the whole phenomenon, but people want to use these devices and there’s actually a little bit of love for these devices.

When people are standing in line for three days waiting to buy a device, they have a little bit of attachment to these devices, so they want to use these devices with their native apps in the way they’re supposed to be used. I always tell people that I wish I could replicate the love that people have for these devices on my match.com profile! I think I would be doing pretty well if I could somehow duplicate that effect. Because people definitely do love these devices. And what we’re really finding in the real world is there’s three ways to use these devices. Obviously, people are using them on Wi Fi or hotspot at their homes. They’re using them with cellular connections with a lot of 3G and 4G connectivity. And then lastly, they want to bring them into work and use them on trusted Wi Fi systems or corporate Wi Fi systems and be able to access work or resources in a seamless manner like they’re already used to with their own computers already.

And we know the problems. I’m sure everyone has heard a lot of these stats already. Just a couple interesting ones I pulled up is you know by 2015 we expect just mobile data alone to be 3X the size of all the Internet data in 2005. So it’s growing exponentially. And, really, what we’re looking at is by 2015, we’re going to have 26X more data than we had in 2010. I mean, it’s really growing at about a 96 percent rate. And what we’re expecting in the next four years is to have about 15 billion mobile devices.

Now, if you look at this stack, this really isn’t about the connected refrigerators and the connected coffee makers, this really is about smart phones. And if you kind of think about that, that means that we’re averaging about two smart phones per person on this planet. I actually went over to Microsoft, and Microsoft told me that these stats are wrong. They’re actually expecting about 30 billion mobile devices in the next four years. That’s actually saying something, you know. That’s saying a lot. Maybe they’re all like me because I have four or five mobile devices that I carry for research purposes, but I thought I was the only crazy one. There may be other people. I think so.

What are the threats? What are the real threats that exist today? The biggest threats, are these devices are always on, and they have a lot of data on them. In fact, they have a lot more data that we usually expect them to have. And the problem is that these devices can be examined. They can be copied. They can be set. A lot of people think that if you have basic security like passcodes and have security saying, if I enter the wrong passcode 10 times, erase my data. They think that’s good enough, but really that’s not good enough security.

What we’re finding is it’s really easy to bypass some of the security and the built in security on these devices. And then on top of that, we have a lot of vulnerabilities within the applications themselves. Pretty recently Southwest airline’s app was using pure HTTP. So I could just be sitting on the network, and I could finesse the network or a wireless network, which is actually pretty easy to do, and I was able to get someone’s Southwest information if I really wanted to do that.

What we’re finding is a lot of Web sites like Facebook until recently they had really good security on their Web sites for desktops or laptops with full browsers, but they were afraid of the user experience. They were afraid of basically getting a user slow experience. So they were actually using less secure or HTTP sites for even log ins and for personal information. So it was really easy to kind of hack these applications and look at what’s going on behind them.

I just wanted to give you a summary of some of the attacks that we’re seeing in the wild. These are really popular and really easy attacks that are happening. There’s a popular site this one’s called “spoofcard”. There’s a few different sites like this, where I can basically text anyone and I can make it look like any number. On this one I’m testing this 555 number, and I’m making it look like it’s coming from Bank of America.

And I have it come from a 284 number. A 284 may seem like a regular long distance number, but it’s actually an area code for a toll fraud number. A lot of toll frauds come from 284 numbers. You can dial this number, and it will charge $50 anywhere to $2500 per minute. And the number might not do anything, just hang up on you. And you may not know about it until you get your phone bill. This is actually a real example that one of my customers got. I did change the phone number, but you can see if you get a text message like this that says, “Hey, this is Bank of America. Your accounts being hacked. Please call us,” your reaction is probably going to be to call this number right away.

You’re probably not going to think about it. You’re going to be like, “Hey, someone texted me.” It looks like a regular number. It’s not an international number. There’s no 001 in front of it. “I might call.” In this particular case, my particular client was actually charged $2500 per minute. And all the number did was pick up and hang up. And he did that about five times. He didn’t know what was going on until he called the back of his card and realized that there was nothing going. But he didn’t really think much of it at that point until he got his phone bill.

And there’s no protection. We don’t have protection like we do with the credit card company against toll fraud. A lot of times we’re relying on the courtesy of our mobile phone providers. There are some protections, but it’s not as deep as we have with our credit card companies, so that’s definitely a poplar way of attacking.

A lot of other attacks and these are just some of the poplar ones we’re seeing so the SMS database, under certain circumstances can be downloaded from mobile phones. So I can actually pull up the SMS history. I can even see the SMS messages that were deleted. I can see the date stamps, the to and from addresses, and phone numbers very easy to do. I have a lot of how to’s on how to do this on my Web site. There are different platforms as well.

As I mentioned earlier, we have a lot of information on these phones that we don’t necessarily thing about. In one particular case and I think I have a screenshot of it here in one particular case I may have just opened up an e mail message and put my password in that e mail message. I wasn’t really thinking about sending this password anywhere. It was just easier for me to pull up my e mail message instead of opening up a notes application. What iPhones do is, they actually save snapshots. Every time you click on an application and you click on another application, if you look closely on your screen, you’ll notice the screen kind of shrinks. What’s happening is the device is actually taking a snapshot of the screen and saving that for multitasking.These pictures are actually saved on the device. And depending on your configurations, they’ll be safe on the device for a very long time. And under the right circumstances, it can be pulled off the device as well. What a smart hacker!

Now, granted, sometimes he’ll have to do jail breaking. And there have been cases of doing remote jail breaking. So I can jailbreak your device, and I don’t have to really give you an icon. So I don’t let you know that I’ve jailbroken your icons, and I can start pulling out this kind of information. This is more than just my e mail. This was something that I wasn’t even expecting to keep and all of a sudden I put myself in a compromising position. The last thing I know we’re running low on time the biggest thing about these devices is to remember their wireless plans and their network clients.

So most network attacks and wireless attacks can be used against them. These are some of the more popular attacks and tools that we see when we do Penta SSL script, another very popular tool. Basically, we can view your data and view your email authentication, even if your using SSL information or authenticated information.

We can look at all your URLs. We can actually redirect you to any URL we want. We can steal your cookies or a log in as you go on Web sites, such as Gmail and Facebook, so a lot of different scenarios. And I’ll pretty much leave it as people ask me, “How do I protect against BYOD?” “What do I buy?” If I talk to Aruba, they always tell me BYOD is all about wireless solutions.

And you talk to Cisco, they’ll tell you BYOD is about the network, protect our buyer network solution. And you’ll talk to an AirWatchor MobileIron that’ll tell you it’s all about the MBM and protecting the end points. Or finding that it’s not really either one of those. You really have to look at the whole sleeve of solutions and figure out how to design and how to build the building blocks in our framework to protect against BYOD on mobility and really somehow incorporate all these technologies into the network.

What we do with a lot of our customers is figure out how we can do this in a seamless way. How do we make sure that they have a way of managing this without spending a lot of time managing a hundred different products? These days it’s really popular to say “zero touch IT”. We know that there’s no such thing as “zero touch IT”. But as long as we can get as little touch as we want, as weird and as strange as that sounds, maybe that’s a good thing. Because people have other jobs. They have their day job as well and there’s no way IT usually manages the influx of mobile devices coming in without a good framework, without good architecture that’s built in.

So we already know the risks of not protecting against mobility. And, you know, there can be a lot of compliance in the risks. There can be legal risks, a lot of privacy risks but we’re just providing users this service if we decide to have a BYOD strategy and we don’t protect users.

So that’s why I kind of preach this space is a new space. It’s an up and coming space. It’s a fun space. I really have a lot of fun playing around with these technologies, figuring out what it is. It kind of reminds me about network security and how it was about 10 years ago. It’s cutting edge. Not a lot of people are doing it these days and there are a lot of problems on there. So, like I said, I have a lot of different resources on my twitter and on my blog as well. I have tons of different resources you can use.


Questions and answers

Max, Concise Courses:
That was brilliant. Really, really good. Fascinating. Thank you very much for sharing that. If anyone has questions, remember to use the chat box. Aamir, do you have an rough idea of the percentage of company employees that use their own personal devices versus company sanctioned devices?

Aamir Lakhani:
Yeah, so we’re actually finding there’s a very large majority of users, the “icompanies” that are using their own devices, whether the company approves about them or knows about them or not. Basically, we recently did a survey with most of our major customers, which are essentially a lot of the global 100, and we really found about 70 plus percentage of people were using their own devices.

A lot of companies are thinking about incorporating some sort of corporate owned devices. They haven’t quite figured out what the right strategy is going to be. A lot of them already have corporate owned devices, such as a Blackberry strategy in the past. They’re kind of figuring out, “Okay. I need to get my users more choices because a lot of people want the Android or want the IOS devices, but a lot of them just aren’t ready and haven’t really kind of accepted the fact that BYOD is already there.


Max, Concise Courses:
I think the majority of people watching this right now are probably going to be involved in some capacity. But I think going forward, this video is going to be watched by a lot of companies who don’t necessarily have that focus and awareness of information security. And what I feel is that there seems to be sort of a battle with a lot of companies between the IT admin to protecting data. And then you have the employees who love using their mobile devices; they love using their iPad at a presentation for example. So there’s that kind of conflict. Do you have any resources on your Web site? Can you point to any resources where an IT admin could get some help in formulating a BYOD policy?

Aamir Lakhani:
Yes, absolutely. So the first thing I always get asked is, “Where can I find a policy that’s like one size fits all?” “Where can I replace a company name with my company name?” And, unfortunately, I will tell you from my experience, we can’t do that right now. It takes a little bit of work to do that. There are resources out there. There’s definitely a lot of different ways of defaulting policies that we do. About 10 years ago every IT security guy told you, “We need a policy.” And what did we do? We ignored them. We were like, “Fine. That’s great. But let me just start implementing technology.”

And we’re kind of back to that same step. And you really have to go to that same step, and you have to look at different aspects. When I just look at storage on mobile devices, I kind of look at the same policies that I have with USB devices. And that’s just one aspect of storage on mobile devices versus mobile storage as well.

So you have to kind of look at a lot of different things and kind of figure out what’s applicable to your organization as well. And about the IT admin’s that don’t want to or don’t accept that you know, they say, “Well, I’m not ready for mobility or BYOD, so I’m just going to turn off Exchange ActiveSync and not allow things on the network.”

What we’re finding is that that’s not a solution. As you can tell, there’s a lot of information on those devices. I had a customer, recently, that was talking back and forth on text messages about a merger. And one of their phones got hacked. And once again, they didn’t have a mobility solution. He didn’t allow mobile devices on their network. But they still ended up going through a lot of legal problems because somebody hacked their text messages, and they were talking about a very large merger that got out public.

So we have to be aware of different solutions. There’s going to be information on devices that we don’t know about. I can always put a redirect on my laptop, and I’m allowing email on my laptop, so I’ll get it on my mobile device. People will find ways around. They to want to work easy. They’ll find ways to be efficient themselves.


Max, Concise Courses:
Absolutely. A final question. Can you share three rough and ready tips for just everyday mobile users to secure their smart phones? So anything that you suggest you definitely got to do this, you definitely go to do that just a couple of tips for somebody like myself. What should I be doing with my mobile device to at least make it as secure as possible?

Aamir Lakhani:
A lot of the common sense we use on our regular day to day lives, we should definitely use on mobile devices. One of the major findings is a lot of time when we see a weird link that comes in, a lot of people are already trained not to go to it on their laptops, but they’ll go to it on their mobile devices. They think they’re better protected. And curiosity gets them. That’s actually one of the biggest attacks that I’m seeing. People are knowingly going to links that are bad, so they’re thinking they’re more protected with mobile devices.

The other big thing that I’ve seen is, definitely leave off your Bluetooth and your WiFi when you’re not using it. Not only is it saving your battery, but there’s a lot of attack doctors, such as the WiFi Pineapple, that will connect to your mobile device, even if there’s no mobile network around. It will just establish a network connection and then the attacker has a way to connect to your mobile device.

Lastly, look at the applications that you’re using. I mean, on mobile devices, we’re downloading applications left and right. Look at stuff on application stores. The Apple istore does a great job so far on getting apps. Don’t go outside to party stores. Don’t try to jailbreak or root your device unless you really know what you’re doing. I mean, I do have my devices jailbroken and rooted, but if you’re the average user, don’t just start downloading every app. Use common sense with everything.


Max, Concise Courses:
That was amazing advice. Incredibly interesting content, and I want to wish you all continuous success. Safe travels, and we’ll see you Miami in the in the next couple of days.

Aamir Lakhani:
Perfect. Sounds good.

Max, Concise Courses:
Thank you. Have a great rest of your day. Thanks, sir.